Heads up -- new TOR browser bundle signing key

Discussion in 'privacy technology' started by Palancar, Feb 26, 2015.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    TOR bundle 4.0.4 was released. When I tried to validate my download I was unable to do so. Erinn Clark is no longer signing the TBB releases. The developers are now using the key below. It clearly states so on the TOR site.

    I thought I downloaded a bad package but TOR just changed the signing key.

    For linux users its simple to add using terminal:

    Developer signs the Tor Browsers. Import the key (0x4E2C6E8793298290) by starting the terminal and typing:

    gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

    After importing the key, you can verify that the fingerprint is correct:

    gpg --fingerprint 0x4E2C6E8793298290

    You should see:

    pub 4096R/93298290 2014-12-15
    Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
    uid Tor Browser Developers (signing key) <torbrowser@torproject.org>
    sub 4096R/F65C2036 2014-12-15
    sub 4096R/D40814E0 2014-12-15
    sub 4096R/589839A3 2014-12-15
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    On a related note I am soliciting opinions and experience. After studying the TBB "internal updater" it appears that there might be a security risk to internally updating your TBB version. To me it looks like the CA selected by the updater could be suspect since it relies upon a CA selection. It does not work like validation of a whole download via gpg. I have no working proof, its just that the process appears to have a weakness. It is being discussed at TOR. I hear rumors that the new alpha's are testing a full gpg validation during the internal update. Staying tuned!

    After looking at this I have decided to always (for now anyway) use a full download and then gpg validate the package. From there I'll disburse as needed.

    Another convenience (internal updater) vs security debate.

    How are you guys handling the version updates? I am betting most take the easy/quick route and internally update.
     
  3. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,416
    I always manually download the new realise version TBB from the official website.

    I never have used the updater. To me I like a fresh install.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I download manually from the website and extract it on my RAM disk. Don't even keep TBB installed.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I also think there is something to be said for a fresh start via a new version package. The hassle is re-doing any special configs. Notably, I don't know why TOR sends the bundle with no script set open. The first thing I do is close it. I do know their argument but it doesn't make sense to me.

    J_L, do you always run TOR in RAM? I can see times for a "tails like" approach. How are you running the rest of the time (trying to learn not be invasive)? How is what you are doing any different than just running TAILS?
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I always do, because I rarely use it. The rest of the time, I treat everything as public info or at least government-aware. Running TAILS would be overkill and less convenient as you have to reboot (and might not have fully hardware support).

    Of course, NoScript is enabled and downloads are all stored on the RAM disk as well before encryption or proper storage.
     
Loading...